Product description

As a network administrator, you can use BIG-IQ Device to centrally manage multiple physical and virtual BIG-IP devices. This management includes pool and utility license management, software image installation, back up and restoration of UCS files, and back up and restoration of specific configuration files to one or more BIG-IP devices. BIG-IQ Device also helps you with device inventory tasks by keeping you apprised of every detail about your managed devices, including health, and provides you with the infrastructure to use SNMP to manage system events and send email alerts.

Screen resolution requirement

To properly display, the BIG-IQ system requires that your screen resolution is set to 1280x1024 or higher.

User documentation for this release

Software installation

For procedures about specifying network options and performing initial configuration, refer to the BIG-IQ System: Licensing and Initial Configuration guide.

Upgrading BIG-IQ Device

Before you can upgrade the BIG-IQ system, you must perform the following tasks:

Download the .iso file for the upgrade from F5 Downloads to /shared/images on the BIG-IQ system. If you need to create this directory, use the exact name /shared/images.

Select a disk volume on which to install the upgrade. You must install the BIG-IQ software on an available volume.

Locate the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to another system for safe keeping.

Warning: These procedures require that the BIG-IQ system is temporarily unavailable and unable to manage BIG-IP devices until the upgrade is complete. BIG-IP devices can continue to manage traffic during this time.

If you have configured the BIG-IQ system in a high availability cluster, perform these steps on each BIG-IQ system in the cluster in immediate succession. It is important to get the cluster members on the same software version as quickly as possible to avoid potential user experience issues.

For specific instructions about upgrading the BIG-IQ system, refer to the BIG-IQ System: Licensing and Initial Configuration guide.

New features

BIG-IP Upgrades

You can use BIG-IQ Device to centrally upgrade BIG-IP devices running version 10.2.0 and later.

BIG-IP Image Deployment

From BIG-IQ Device, you can centrally deploy BIG-IP system configurations to hardware or virtual machines located in your local network or in VMware, OpenStack, or Amazon cloud environments.

BIG-IP License Management

BIG-IQ Device now includes utility licensing features. This include support for various billing options, support for license grants, or seat licences, in addition to usage reporting.

BIG-IP Cluster Display

You can now view clustering information for managed devices. This includes trust domains, sync groups, and failover groups.

3rd-Party Authentication Support

BIG-IQ Device now supports RADIUS and LDAP authentication.

Role-Based Access Control

Administrators can now control access to managed device functionality through BIG-IQ Device based on specific roles.

Bulk Discovery

You can configure BIG-IQ Device to discover multiple BIG-IP devices in one task, as opposed to discovering them individually.

BIG-IQ Active-Active Configuration

You can configure BIG-IQ systems in an active-active, high availability (HA) configuration, ensuring immediate configuration synchronization on peer devices. This provides failover protection in the event that if a BIG-IQ system in an active-active HA configuration fails, a peer BIG-IQ system takes over the device management.

Fixes

Issue

Description

ID 467656

OpenSSL is being updated to fix CVE-2014-0221 CVE-2014-0195. Customer who have configured DTLS clients, are no longer vulnerable.

ID 457400

Previously, if you inadvertently added a space after the IP address when searching for an IP address, the search failed. Now, the BIG-IQ system removes any leading and trailing spaces from the address so the search is successful.

ID 452608

When it synchronizes with a new peer, the BIG-IQ system no longer removes user accounts that do not exist on both devices configured in a high availability configuration.

ID 450883

The user interface no longer becomes unstable when you drag a user from the User panel to another panel.

ID 450879

Deleted roles no longer continue to display in the Roles panel.

ID 449991

When the source port and destination port are the same, traffic (such as NTP) initiated from the (NTP) host service is no longer occasionally dropped for the BIG-IQ 7000 platform.

ID 449969

Previously, if you selected the Update Framework On Discovery check box when adding a new device, the discovery process sometimes failed, and the BIG-IQ system might have returned an HTTP error. This issue has been resolved and discovery process now works as designed.

After you discover multiple devices at once, the Device Properties screen now properly displays the selected device's properties.

ID 440806

Selecting the "Auto update framework" check box when discovering devices running BIG-IP version 11.5.0 now prompts the BIG-IQ system to automatically update the REST framework as required.

ID 425314

If device discovery fails, the BIG-IQ system now prompts you to retry discovery, rather than returning a "(0)null" error message.

Known issues

Issue

Description

Workaround (if available)

ID 509028

When a BIG-IP Device Cluster is used with the F5 HNV Gateway Provider Plugin, and one device is unavailable, the F5 HNV Gateway Provider Plugin cannot apply configuration updates to the remaining devices.

ID 483739

Deployment jobs (Apply Config, Upgrade Software, License Device) work only for devices in the Managed BIG-IPs group. You cannot create a deployment job for devices in any other group and an Upgrade Legacy Device deployment works only for users who have access to the Managed BIG-IPs group.

ID 482453

Multiple vulnerabilities in the bash binary have been fixed, including CVE-2014-6271 CVE-2014-7169 CVE-2014-7187 CVE-2014-7186 CVE-2014-6277 CVE-2014-6278. The CVSS score for CVE-2014-6271 is 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C). This vulnerability may allow an attacker to remotely execute code on a system behind a firewall.

ID 480423

Pop up text does not appear properly in Google Chrome version 37 because of changes in the browser's software.

To work around this issue, use Microsoft Internet Explorer version 9.0.x or later or Mozilla Firefox, 26.x or later.

To work around this issue, delete the IPv6 self IP address using the API using the URI /mgmt/tm/cloud/net/self to find the address.

ID 475766

A BIG-IQ system in a high availability group might provide only a warning status for an unhealthy peer (displaying a yellow triangle in the BIG-IQ Systems panel) with no additional information supplied.

ID 475324

You cannot use the /usr/sbin/f5ad-create-config script to copy a configuration of a BIG-IP system on appliance mode, due to a strict requirement for SSH access.

ID 474096

You cannot access the BIG-IQ system's user interface using Mozilla Firefox version 31.

This issue is caused because of security changes in Firefox. You can view more specific information here: https://blog.mozilla.org/security/2014/04/24/exciting-updates-to-certificate-verification-in-gecko/ . This workaround has security implications. To work around this issue: 1) Type about:config in the navigation bar of the Firefox browser. 2) Double-click the "security.use mozillapix verification" option to set it to false.

ID 468310

If you configure a user account with multiple attributes on the RADIUS server (such as Class <value>), BIG-IQ system returns an error when that user attempts to log in.

To resolve this issue, edit the configuration file on the RADIUS server so the user account has only a single instance of each specific attribute name.

ID 440333

If you delete a BIG-IQ peer from a high availability active-active pair, then add the same BIG-IQ system back to the same (or to another) high availability pair, data between the devices no longer synchronizes.

After you delete a BIG-IQ system from a high availability active-active pair, create a backup on the BIG-IQ system. Then reset the system to factory settings by typing the following command on that BIG-IQ system: bigstart stop restjavad && rm -rf /var/config/rest && bigstart start restjavad. Then, you can add it as a new backup in a high availability pair, and they properly synchronize.

ID 437741

If you do not discover managed BIG-IP devices from the BIG-IQ system using a self IP address on the VLAN named internal, the BIG-IP device BIG-IP restjavad.0.logs the following message every minute: [8100/shared/identified-devices IdentifiedDevicesWorker][failed] java.net.ProtocolException: Status code:401

To work around this issue, you must configure an internal VLAN and self IP address for the BIG-IQ system and all managed devices.

ID 435629

When two BIG-IQ 7000 Platform devices are configured in a high availability pair, communication may only work in one direction between the two devices. This is exhibited by the following behavior: Device A is marked as standby, and reports its peer as active. Device B is marked as active, and reports its peer as down. When this occurs, high availability functionality does not work correctly. Device B will always assume Device A is down, so it will always remain active.

To work around this issue, re-initialize the certificates. If resetting the configuration to factory settings is an option, type the following commands on each device: bigstart stop restjavad; rm -rf /shared/em/ssl.crt/*.*; rm -rf /shared/em/ssl.key/*.*; rm -rf /var/config/rest/storage; rm -rf /var/config/rest/index/; bigstart start restjavad . If you cannot clear the configuration, perform the following steps on each device: 1) On the High Availability panel, delete the HA peer, and associated devices. 2) From the command line, type the following command to delete the local device: curl -X DELETE http://localhost:8100/shared/resolver/device-groups/cm-shared-all-big-iqs/devices . 3) To remove the existing certificates and restart the service, type the following commands on each device: bigstart stop restjavad; rm -rf /shared/em/ssl.crt/*.*; rm -rf /shared/em/ssl.key/*.*;bigstart start restjavad .

ID 431398

While booting, the BIG-IQ system may display the following warning in the console or logs: "SKIPPING unix_config_httpd: /defaults/config/templates/xui.tmpl doesn't exist!!!"

This message has no impact on the BIG-IQ system's functionality. You can ignore this benign message.

ID 428383

When you use the search field to filter for a number or phrase associated with a particular BIG-IP device, you might get some unexpected results. This occurs because BIG-IQ Device filters on all fields, not just those displayed in the Devices panel.

Removing BIG-IQ system services from a BIG-IP device

To manage a BIG-IP device using the BIG-IQ system, you must install specific BIG-IQ system components onto that device using the procedure outlined in the BIG-IQ Device: Device Management guide. In the event that you have to remove these services for any reason, use this procedure.

Log in to the command line of the BIG-IP device.

Stop any running BIG-IQ system services.

Note: The msgbusd service might not be installed. You can use the bigstart status command to see if it is running.

$ bigstart stop restjavad

$ bigstart stop msgbusd

Remove the RPM packages related to the BIG-IQ system.

mount -o remount,rw /usr

rpm -qa | grep f5-rest-java | xargs rpm -e --nodeps

rpm -qa | grep msgbusd | xargs rpm -e --nodeps

mount -o remount,ro /usr

This removes, from the BIG-IP device, the BIG-IQ system components, including the F5-contributed cloud connector iApp template (cloud_connector.tmpl).

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews

The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.

Periodic plain text TechNews

F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.